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1 )^ Responsive to communication(s) filed on 26 September 2005 . 
2a )□ This action is FINAL. 2b)|3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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DETAILED ACTION 
Acknowledgements 

1 . This is a non-final office action in response to tine Application filed on September 
26, 2005. 

2. Claims 1-26 are pending in this Office Action. 

Priority 

3. Acknowledgment is made of applicant's claim for foreign priority under 35 
U.S.C. 119(a)-(d). 

4. Receipt is acknowledged of papers submitted under 35 U.S.C. 1 1 9(a)-(d), which 
papers have been placed of record in the file. 



Information Disclosure Statement 



5. The information disclosure statement (IDS) submitted on June 2, 2006 was filed 

after the mailing date of the application on September 26, 2005. The submission is in 
compliance with the provisions of 37 CFR 1 .97. Accordingly, the information disclosure 
statement is being considered by the examiner. 
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Claim Rejections - 35 USC § 101 

6. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

7. Claims 1-14 and 24-26 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

8. In order for a method to be considered a "process" under §101, a claimed 
process must either: (1) be tied to another statutory class (such as a particular 
apparatus) or (2) transform underlying subject matter (such as an article or materials). 
Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 
(1978); Gottschalk v. Benson, 409 U.S. 63, 70 (1972). If neither of these requirements 
is met by the claim, the method is not a patent eligible process under §101 and is non- 
statutory subject matter. 

Claims 1 and 24 are directed towards a method for assessing risk within an 
organization. As the claims are not sufficiently tied to an apparatus, such as a 
computer, and/or do not transform the underlying subject matter (from your claim) to a 
different state, the claimed method is non-statutory and therefore rejected under 35 
U.S.C. 101. 
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9. Claims 2-14 and 24-26 are rejected for being dependent upon rejected claim 1 . 

Claim Rejections - 35 USC §112 

10. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification sliall conclude witli one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

11. Claims 8, 9, and 21 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

12. Claims 8, 9 and 21 are directed towards the method according to claim 1 and 16, 
and where the assets are "information related". It is unclear as to what constitutes 
"information related" as to inform one with ordinary skill in the art the metes and bounds 
of the invention. Therefore, Claims 8, 9 and 21 are rejected for being indefinite. 

13. Claim 10 is rejected for being dependent upon rejected claim 9. 

Claim Rejections - 35 USC § 103 



14. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the phor art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

15. Claims 1, 6, 8, 14, 19, 21 and 23-26 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Tschiegg et al (US 2003/0160818) in view of Heinrich (US 
2003/0046128). 

16. With respect to claims 1 and 16, Tschiegg teaches a method for assessing risk 
within an organization, comprising: 

a. defining one or more zones, each of said one and more zones comprising 
an environment (paragraph 0009, regarding location identifiers, earthquake 
zones and flood zones); 

b. identifying one or more assets of said organization, each of said assets 
being located in a respective one of said zones (paragraph 0009, regarding risk 
management information within the zones, which include company assets; Figure 
4. regarding the listed assets in the database); 

c. conducting a respective impact assessment for each of said assets, each 
assessment comprising assessing the impact of the loss of said respective asset 
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(paragraph 0019, regarding determining loss before and after implementation of 
recommendation); 

d. conducting for each of said zones a respective zone risk assessment, 
comprising (paragraph 0058-0069, regarding the filter function that allows for 
customized reporting about specific risk management segments); 

e. conducting for each asset a respective asset risk assessment (paragraph 
0009-0010, regarding risk management and reporting functions); and 

f. assessing risk on the basis of at least said impact assessment, said zone 
risk assessment and said asset risk assessments (paragraph 0009-0010, 
regarding risk management and reporting functions). 

Tschiegg does not explicitly teach assessing a risk level of the asset within a 
zone. However, Heinrich teaches 

g. assessing the risk level associated with an asset (paragraph 0036); and 

h. assessing the risk level associated with said respective asset independent 
of the respective zone of said respective asset (paragraph 0037). 
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It would have been obvious to one of ordinary skill in the art to include the 
business system of Tschlegg with the ability to assessing a risl< level of the asset as 
taught by Heinrich since the claimed invention is merely a combination of old elements, 
and in the combination each element merely would have performed the same function 
as it did separately, and one of ordinary skill in the art would have recognized that the 
results of the combination were predictable. 

17. As to claims 6 and 19, Tschlegg further teaches maintaining a register of said 
zones (paragraph 0009, regarding database of location and zone information). 

18. Regarding claims 8 and 21 , Heinrich further teaches wherein each of said assets 
is information related (0049, regarding risk assessment of a computer network system). 

19. Regarding claims 14 and 23, Heinrich further teaches including determining a 
measured risk for each asset, said measured risk for a respective asset comprising the 
product of 1) an impact level determined in said impact assessment and 2) the 
maximum of an asset risk determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment (paragraph 0045-0048, regarding associating 
asset risk to risk levels and conducting a risk assessment). 
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20. With respect to claim 24, Tschiegg further teaches a risl< management method, 
comprising managing said risk (paragraph 0003, regarding managing risl<). 

21. As to claim 25, Heinrich further teaches wherein said managing of said risk 
comprises: 

i. determining the distribution of the number of assets as a function of 
associated measured risk (paragraph 0045, regarding assigning value to each 
risk to calculate an overall risk); 

j. determining a maximum acceptable risk level (paragraph 0048, regarding 
upper limit of the risk severity); and 

k. applying one or more controls if any of said assets exceeds said maximum 
acceptable risk level (paragraph 0168, regarding implementing changes to 
eliminate or downgrade risks). 

22. Regarding claim 26, Heinrich further teaches wherein said acceptable risk level 
comprises the lower of the highest available measured risk or 100% (paragraph 0058). 
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23. Claims 2-5, 7, 9-13, 15, 20, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Tschiegg et al (US 2003/0160818) and Heinrich (US 2003/0046128) 
in further view of Lovejoy et al (US 2002/0138416). 

24. Regarding claims 2 and 17, Tschiegg in view of Heinrich teaches a method as 
claimed in claim 1 . Tschiegg in view of Heinrich does not directly teach identifying asset 
custodians. However, Lovejoy teaches identifying one or more asset custodians, each 
comprising a custodian of a respective asset, and identifying one or more of said assets 
(paragraph 0056 and 0060, regarding the category of users that inventory the assets). 

It would have been obvious to one of ordinary skill in the art to include the 
business system of Tschiegg and Heinrich with the ability to identify asset custodians as 
taught by Lovejoy since the claimed invention is merely a combination of old elements, 
and in the combination each element merely would have performed the same function 
as it did separately, and one of ordinary skill in the art would have recognized that the 
results of the combination were predictable. 

25. As to claim 3, Lovejoy further teaches wherein each of said custodians is an 
employee with care-taking responsibilities (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets). 
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26. With respect to claim 4, Lovejoy further teaches including maintaining a register 
of said assets (paragraph 0055, regarding the inventory of assets stored in a database). 

27. Regarding claim 5, Lovejoy further teaches wherein said register includes a 

respective owner of each of said assets (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets; also see page 20 of applicant's specification 
where custodians can also be owners). 

28. As to claims 7 and 20, Lovejoy further teaches the register of zones as taught by 
Tschiegg including a respective custodian of each of said zones (paragraph 0056 and 
0060, regarding the category of users that inventory the assets). 

29. With respect to claim 9, Tschiegg in view of Heinrich teaches a method as 
claimed in claim 2 wherein each of said assets is information related. Lovejoy further 
teaches where each of said asset custodians is an information custodian, each 
comprising a custodian of a respective information storage device within said 
organization (paragraph 0056 and 0060, regarding the category of users that inventory 
the assets). 

30. As to claim 10, Lovejoy defines custodians including users, risk assessor, 
security practitioner (physical and environmental custodian) and system administrators 
(MIS support custodian) (paragraph 0056). Lovejoy does not directly teach network 
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custodians or software engineering custodians. However, tine simple substitution of one 
l^nown element for another producing a predictable result renders the claim obvious. 
Therefore, it would have been obvious to one with ordinary skill in the art to add 
additional network custodians and software engineering custodians to the system in 
Lovejoy. 

31. Regarding claims 11 and 12, whether the zone assessment is conducted by the 
respective custodian or owner of said respective zone is representative of descriptive 
material that does not modify the functionality of the underlying method to distinguish 
the claimed invention from the prior art. In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 
401, 404 (Fed. Cir. 1983). Therefore, it would have been obvious to one with ordinary 
skill in the art to have the custodian or owner of the asset conduct the zone 
assessment. 

32. As to claims 13 and 22, Lovejoy further teaches regarding the loss of an asset as 
equivalent to the loss of a system of which said asset is a part (paragraph 0063, 
compromised assets causing a loss to the organization). 

33. With respect to claim 15, Lovejoy further teaches wherein none of said 
custodians is an owner (paragraph 0056 and 0060, regarding the category of users that 
inventory the assets). 
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Conclusion 

34. Any inquiry concerning this communication or earlier communications from tine 
examiner should be directed to BRAND! P. PARKER whose telephone number is (571) 

272- 9796. The examiner can normally be reached on Mon-Thurs. 8-5pm. 

35. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bradley B. Bayat can be reached on (571) 272-6704. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

36. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (BBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/BRANDI P PARKER/ 
Examiner, Art Unit 3624 

/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3623 



